9:19 a.m.
Hi List,
Is it possible to prevent other clients from stealing my libvirtd
hosted spice session? This is a problem for me where multiple
co-workers access the same guest over a qemu+ssh:// connection.
Instead of simply disconnecting clients, I'd like libvirtd to deny the
new client.
I've been looking at polkit acl rules and the vnc sharePolicy
attribute but so far no luck.
3:50 a.m.
On 13.02.2015 16:19, Jon Doe wrote:
Hi List,
Is it possible to prevent other clients from stealing my libvirtd
hosted spice session? This is a problem for me where multiple
co-workers access the same guest over a qemu+ssh:// connection.
Instead of simply disconnecting clients, I'd like libvirtd to deny the
new client.
I've been looking at polkit acl rules and the vnc sharePolicy
attribute but so far no luck.
I think the only possible way is to set a password to protect the SPICE
session. You know, libvirt doesn't interfere into SPICE connection
process. And the sharePolicy attribute exists only for VNC. SPICE
doesn't seem to support that.
Michal
7:09 a.m.
Any idea how to do this with virsh or hooks? Qemu seems to have a
spice.set_ticket command, but calling this from virsh's
'qemu-monitor-command guest --hmp --cmd spice.set_ticket password'
doesn't work.
The password would somehow have to be reset once the client logs out.
On Mon, Feb 16, 2015 at 11:50 AM, Michal Privoznik <mprivozn(a)redhat.com> wrote:
On 13.02.2015 16:19, Jon Doe wrote:
> Hi List,
>
> Is it possible to prevent other clients from stealing my libvirtd
> hosted spice session? This is a problem for me where multiple
> co-workers access the same guest over a qemu+ssh:// connection.
> Instead of simply disconnecting clients, I'd like libvirtd to deny the
> new client.
>
> I've been looking at polkit acl rules and the vnc sharePolicy
> attribute but so far no luck.
>
I think the only possible way is to set a password to protect the SPICE
session. You know, libvirt doesn't interfere into SPICE connection
process. And the sharePolicy attribute exists only for VNC. SPICE
doesn't seem to support that.
Michal
7:27 a.m.
On 16.02.2015 14:09, Jon Doe wrote:
Any idea how to do this with virsh or hooks? Qemu seems to have a
spice.set_ticket command, but calling this from virsh's
'qemu-monitor-command guest --hmp --cmd spice.set_ticket password'
doesn't work.
No, that won't work, because apparently, Qemu/SPICE folks have thought
that if SPICE was started without a password, it's meant to be open and
therefore password cannot be set afterward. Or vice versa - if SPICE was
started with a password, it can't be removed. But yes, it can be changed.
Moreover, you certainly don't want to bypass libvirt on this. We have an
attribute for that //graphics/@passwd.
The password would somehow have to be reset once the client logs out.
Yep, that's how RHEV does it.
You can set the password in domain XML, and set it to timeout shortly
(//graphoics/@passwdValidTo).
Michal
3567
days inactive
3570
days old
3 comments
2 participants
participants (2)
-
Jon Doe -
Michal Privoznik